(19) 



I 



(12) 



(43) Date of publication: 

24.07.1996 Bulletin 1996/30 

(21 ) Application number; 961 00753.1 

(22) Date of fifing: 1 9.01 .1 996 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets (1 1 ) EP 0 723 251 A2 

EUROPEAN PATENT APPLICATION 

(51) int. Cl. 6 : G07C 9/00, G07F 7/08 



(84) Designated Contracting States: 


(72) Inventor: Hopkins, Dale W. 


DE FR GB ITSE 


Gilroy, California 95020 (US) 


(30) Priority: 20.01.1995 US 3761 1 5 


(74) Representative: Liesegang, Roland, Dr.-lng. et al 


FORRESTER & BOEHMERT 


(71 ) Applicant: TANDEM COMPUTERS 


Franz-Joseph-Strasse 38 


INCORPORATED 


80801 Munchen (DE) 


Cupertino, California 95014 (US) 





(54) Method and apparatus for user and security device authentication 



(57) A new process is described for verifying a user 
and/or authenticating a smart card in an off-line compu- 
ter environment with limited a priori knowledge on the 
part of the verifier. This process advantageously uses 



the computational capability and the physical and logi- 
cal security characteristics offered by a smart card. 



22 



REMOTE FACILITY 



SMART CARD 



MP 



30 



SMART CARD 
MEMORY 



TERMINAL 



| CARD ISSUER SITE 

HOST COMPUTER 



12 



25 
/ 




ENCRYPTION/ 






DECRYPTION 




/ 
24 


\ 
28 



ENCRYPTION/ 




DECRYPTION 





27 

SECURE ENVIRONMENT 



FIG. 1 



is 



CM 
< 

T— 

CM 

CO 
CM 

O 

Q. 

UJ 



Fmiiecf Cy Rank xsrc-v (UK. Bust'ie^ Services 
2 I'sb i'a 



EP 0 723 251 A2 



Description 

BACKGROUND OF THE INVENTION 

5 1. FIELD OF THE INVENTION 

The present invention relates to a method and apparatus for reliable electronic identification. More particularly, but 
without limitation, the present invention relates to the computerized identification of a smart card and smart card user. 

io 2. DESCRIPTION OF RELATED ART 

Reliable electronic identification is highly useful in many situations. For example, the banking industry requires 
identification of automatic teller machine {'"ATM") customers using security devices, typically banking cards. Various 
other types of security measures, for example those which grant or deny access to a building through an entry door, 
75 also rely upon identification of a card holder, frequently requiring the card holder to be in possession of a persona! iden- 
tification number ("PIN"). 

Because of their low cost, reliability and widespread availability, many of the above described security measures 
. have traditionally been implemented with magnetic stripe cards. However, many of these security measures can be 
improved upon through the use of "smart cards." Smart cards are typically manufactured in the form of a traditional 
20 magnetic stripe credit or banking card. However, rather than (or in addition to) storing information on a magnetic stripe, 
smart cards include solid state electronic memory, a microprocessor and electrodes on the surface of the card which 
enable the microprocessor to communicate with a smart card reading terminal The electronic memory within the smart 
card has greater memory capacity than traditional magnetic stripes. When this increased memory capacity is coupled 
with the computational ability of the microprocessor, smart cards may have much greater versatility and security then 
25 magnetic stripe cards. 

Data Encryption Standard ("DES") technology is in widespread use throughout the world for personal verification 
and, in many instances, is implemented using smart cards. However, this technology requires that a secret encryption 
key also be present in the card and that the same secret key also be present in the terminal used to conduct the verifi- 
cation process. However, a potential disadvantageous aspect of this technology is that if the secret key or keys in the 

30 terminal are exposed, then the entire system, including all verification terminals and all cards, are compromised. 

In the past, the DES-type approach has been reasonably acceptable when the authentication process is conducted 
in a highly secure environment. For example, the authentication process may be conducted by an electronic microproc- 
essor securely housed within an ATM machine. Alternatively, if the ATM is on-line to a bank's main frame computer, then 
the verification process may be conducted remotely within a secure computer room in the bank. 

35 In certain situations, however, it may be oesireable to have authentication conducted off-line by a low-priced termi- 
nal. For example, merchants could benefit from eliminating the cost of telephone network connections between credit 
card company computers and point-of-sale (POS) devices. Such POS terminals must usually be inexpensive and, 
therefore, cannot be constructed with the same physical and electronic security features typical in more expensive 
banking environments, such as those discussed above. In particular, low-priced POS terminals may lack the security 

40 measures necessary for entrusting a secret key within such a device. Therefore, there is a need for a secure verification 
and authentication system and process, wherein a low cost off-line electronic terminal can authenticate that a card is 
not counterfeit and that the user is authorized. Preferably, since the verifying terminal will not be secure, it should be 
able to verify that both the card and the user are authentic without the terminal itself containing or receiving any non- 
public information during the verification and authentication processes. The present invention fulfills this need among 

45 others. 

SUMMARY OF THE INVENTION 

This invention provides, among other things, a method and apparatus for verifying the identity of a user of a security 
so device. In a particular case, the present invention can be used to authenticate a smart card and the identity of its user 
in an off-line computer terminal environment wherein the off-line terminal has no secret information 

The process involves the interaction between two entities. These "entities" are referred to herein as the "prover" 
and the "verifier." For ease and clarity of explanation, the invention is described in the case where the prover is a smart 
card and the verifier is a computer terminal which includes a smart card reader. However, in the more general case, the 
55 prover may be any electronic entity, such as a personal computer or work station requesting access to a host computer 
or to, for example, a network. The verifying entity may simply be a software process that runs on the host computer to 
which access is requested, or it may be a separate device containing a microprocessor and/or hardwired circuitry for 
performing the verification process. 
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In any event, a fundamental characteristic of the present invention is that secret information exists within the prover 
but need not exist within the verifier. Moreover, the verification process can be completed without transferring such 
secret information (or values) between the prover and the verifier. Nevertheless, using the method of the present inven- 
tion, the prover is able to prove to the verifier that it is, in fact, the authorized entity. 

5 From a process standpoint, the overall invention includes two phases: the "personalizing" phase, wherein the smart 

card ("prover") is initialized for use in the system and the "verification and authentication phase," wherein a terminal 
("verifier") verifies that the smart card ("prover") is authorized for access to the system and that the person using the 
smart card is authorized to use it. 

In phase 1 , the user is assigned a specific smart card and that smart card is personalised to the user. This person- 

w alization process activates the card for use in either an on-line or, preferably, an off-line electronic verification and 
authorization system. At the personalizing phase, the card is loaded with the following data: 

U- The public identification of the user, such as the user's name, unique bank account number, etc. 

e- Public key exponent 
15 n- Public key modulus 

aB- The product aB is preferably stored within the card in an encrypted format. The quantities a and B are secret 
values. The value of "a" depends upon the card issuer's private public key, d, the values U and n. and the user's 
PIN, P. The quantity B depends upon U, n, the user's secret PIN, P and the card issuer's private public 
keyd. ■ 

20 

The computations used to define a may be done in a secure computer environment external to the smart card. The 
results of this computation and the other data values set forth immediately above are then downloaded to the smart 
card to complete the personalization process. 

The second phase of the process, i.e. verification and authentication, occurs when a user attempts to gain access 
25 to a secure system or portion thereof. For example, a user may wish to withdraw money from a bank account at an ATM, 
or to purchase an item in a store equipped with a POS device. In either event, the smart card ("prover") and the POS 
terminal or ATM ("verifier") interact, as follows: 

First, the user inserts the smart card into a reading device comprising a portion of f or associated with the termi- 
nal. As previously explained, the smart card contains the value aB encrypted under the user's secret PIN. Therefore, 
30 the user must enter the correct PIN in order to obtain the value aB and initiate the process within the verifying terminal. 
In the next step, the smart card generates a random variable x and then computes the value: 

T = x e (mod n). 

35 The value of T is transmitted to the terminal along with the smart card or user identification value, U. 

The terminal then generates a random number, y, called a "challenge" number. The terminal sends the challenge 
number to the smart card. The smart card uses the PIN to decrypt the value for aB stored in its memory and uses y to 
generate the responsive value, S. S is a function of y, x, aB and n. S is transmitted to the terminal. 

The terminal then computes a value, T\ which is a function of y, n, S, e, and U. If T equals T the card is verified 
40 and the user is authenticated. Otherwise, the terminal knows that either the card or the user are unauthorized. In this 
latter case where the card or user are not authorized, access to the secured system, for example the ATM, network, 
building, etc., will be denied. 

From a system standpoint, the invention comprises a central control facility, such as a main frame host computer at 
the facilities of the card issuer. This computer is equipped and configured with circuitry for communication with a highly 

45 secure peripheral computing device called a security module. The security module is programmed to perform certain 
calculations in a secure manner, as will be described in greater detail hereinafter. In particular, the security module 
computes the values a and B. 

The system further includes a smart card reader or terminal, which may be located at a site remote from the host 
computer. The smart card terminal is also in communication with the host computer. The smart card terminal is 

so equipped with encryption/decryption software and/or circuitry, and further circuitry for electrically connecting to and 
communicating with the circuitry of a smart card. The encryption/decryption circuitry of the smart card terminal is 
designed to decrypt signals received from the host computer and encrypt data received from the smart card prior to 
transmission back to the host. In this way, all communications between- the smart card reading terminal and the host 
computer are secure. 

55 • 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will now be described with reference to the accompanying drawings, wherein: 
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Fig. 1 is a block diagram illustrating the computerized system of the present invention utilized for personalizing a 
smart card. 

Figs. 2-5 are block diagrams of a smart card and smart card reading terminal illustrating information contained 
within the smart card and terminal, respectively, at each stage of the authorization and verification process, and 
5 data communicated therebetween. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

The following description is of the best presently contemplated modes of carrying out the invention This description 
w is made for the purpose of illustrating the general principles of the invention and is not to be taken in a limiting sense. 

Fig. 1 illustrates a presently preferred system 10 for personalizing a smart card 1 2. As shown in this figure, a portion 
20 of the system 10 is typically owned and/or controlled by the issuer of the smart card 12. For example, this facility 20 
may be located at the city headquarters of a bank. Fig. 1 also illustrates a remote, less secure facility 22, forming 
another portion of the system 10, such as a suburban branch of the bank from which the bank wishes to issue ATM 
75 access cards to its customers. 

The secure facility 20 includes a general purpose programmable host computer 14. The host computer 14 may be, 
but is not necessarily, a main frame computer with a Non-Stop Kernel Operating System available from Tandem Com- 
» puters Incorporated of Cupertino, California USA. The system 10 also preferably includes a microprocessor 16 con- 
tained within and forming part of a highly secure physical and electronic environment 18, such as an A7000 Security 
20 Module available from Atalla Corporation of San Jose California USA. Encryption/decryption circuitry and/or software 
27 is provided for secure communications from the card issuer site over a network 26. 

The remote facility 22 contains a terminal 24 for reading from and writing to smart cards 12. This remote facility 22 
is in communication with the secure facility 20 over the network communications link 26. The terminal 24 contains 
encryption/decryption circuitry and/or software 28 so that all communications with the host 14 over the network 26 are 
25 secure. Encrypted data received over the network 26 is decrypted by the circuitry and software 28 before being sent 
from the terminal 24 to the smart card 12. Similarly, non-encrypted data received by the terminal 24 from the smart card 
12 is encrypted by encryption circuitry 28 before transmission to the host 14. in this way, all transmissions from the ter- 
minal 24 to the host 14 are also secure. 

The smart card 12 contains a microprocessor 30 and associated non-volatile read/write memory 31. The micro- 
30 processor 30 within the smart card 12 may be placed in communication with the card reader portion of terminal 24 via 
industry-standard connectors 25. 

Personalizing the Smart Card 

35 The computations outlined in this section take place at the time the card is personalized. 

The card contains the following data which is entered at the time the card is personalized and issued. The card con- 
tains: 

U- Public identification ("ID") of the user; Name, Unique ID (e.g., an account number). The card issuer may also 
40 choose to append a unique card identifier to this quantity, U. The terminal 24 must then be able to recognize that 

U has a valid data format structure. Thus, U may have a preamble, such as a card type, bank ID or other infor- 
mation that the terminal can recognize. 

e- Public key exponent 

<5 

n- Public key modulus 

a- the product of the users' PIN, P and a digital signature on the product of U and the user's PIN. That is, 
a = P(UP) mod n , where d is the card issuer's private public key. The quantity "a" is a secret and is stored in 
so the memory 31 of smart card 12 as a product, aB. where B is defined, as follows: 

B- A secret chosen at the time the PIN, P is selected. The product aB is the only secret contained in the smart card 
and B is chosen to satisfy the following equation: 

55 U 2 P €+1 B e = 1 (mod n) (1) 

Here n = pq where* p and q are prime numbers. This linear congruence can be solved for B in the following way. 
First, raise both sides of Eq.(1) to the power d, i.e., 
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(U 2 P e+1 ) d B ed e1(modn) (2) 

From the Discrete Logarithm Theorem of number theory; 

B ed - B 2 (mod n) 

if z - ed (mod * (n) ) - ed (mod ^ {p) ^ q) ) = ed (mod (p-1)(q- 1)) where *< ft > is the Euler totient function Since p 
and q are primes, 4>(p) =p-1 and ${q) = q-1 . Now e and d are defined by the RSA encryption algorithm so that 
w ed - 1 (mod (p-1)(q-l)) • Therefore, 

B 6d - B (mod n) 



15 



30 



35 



40 



55 



So Equation (2) becomes 



(U 2 P e+1 ) d B-l (modn) (3) 



Since n is the product of two primes p and q, the greatest common divisor of (U 2 P 6+1 ) d and n is 1 so there exists a 
unique solution B. In other words, B is the multiplicative inverse of (U 2 P e+1 ) d . 
20 To solve this for B, multiply Equation (3) by 

((u*pn d / (n) - 1 

25 

and use the Euler Generalization that says 



((U*P~ , ) a )* VX ' . 1 (mod n). 



Therefore a solution is 



B m((JJ*P~y)^ n) '' m 1 (mod) 



where Hn) = (p-1)(q-1) . 

This is an explicit solution available since p and q are known and can be retained in the security module 1 8 used in 
the personalization process. Otherwise, if p and q are not retained in the security module 18, then the Extended Eucli- 

45 dean Algorithm can be used to compute B. 

The computations described immediately above are done in the security module 18 external to the smart card 12. 
The results of the computations and other data are then downloaded to the smart card 12 as part of the personalization 
process. The values a and B. however, are preferably encrypted by the security module 18 prior to transmission to the 
smart card. For example, this encryption may occur using a secret key and a DES algorithm. The encrypted values 

50 are then transmitted to terminal 24 by the host computer 14 over the network 26. Upon receipt by the terminal 24, the 
decryption software/circuitry 28 decrypts the a and B values using the same secret key, K 1t previously loaded into the 
terminal memory. 



Personal Verification and Card Authentication 

Fig. 2 illustrates the initial state of the verifying terminal 50 and smart card memory 31 following personalization. 
The terminal 50 may be a POS device including a smart card reader and a microprocessor with associated memory 
programmed to compute the functions described herein. Whatever the composition of the terminal 50, the smart card 
12 contains E p [aB], which is a cryptogram of aB encrypted under the users PIN, R Therefore, the user must enter the 
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correct PIN in order to obtain aB and initiate the process with the verifying terminal 50. PIN entry is preferably accom- 
plished with a touch-tone key pad associated with the POS device. 

As Illustrated in Fig. 3, the smart card microprocessor 30 generates a random variable, x, and then computes: 

5 T m x e (mod n). 

As further illustrated in Fig. 3, the smart card 12 transmits the value T to the terminal 50, along with the user iden- 
tification value, U. 

Fig. 4 Illustrates that, following receipt of the U and T values, the terminal 50 generates a random challenge 
w number, y, and sends y to the smart card 1 2. 

Fig. 5 Illustrates that the smart card 12 uses the PIN, P, to decrypt E p [aB] and then uses aB and y to compute s, 
where: 

S = x(aB) y (mod n). 

75 

Fig. 5 further shows that the smart card 12 sends the computed value. S, to the terminal 50. 
Using the values for S, e, U, y and n, the terminal 50 computes a value, T, as follows: 

T' E S € U y (modn) 
20 - (x(aB) y ) e U y (mod n) 

- x e (a e B e ) y U y (mod n) 
ex e (UP e+1 BVu y 

25 This follows since: 

a m p'(UP) d (mod n) and 
from the symmetric property of the RSA algorithm. 

30 

Tm X e (U 2 P e+1 B e ) y (modn) 

But since from Equation (1); 
as U 2 P e+1 B e = 1 (mod n). 

Then T becomes 

T ■ x e (mod n) 

40 

But this is exactly T, so 

T ~T 

45 Therefore, if T equals T, then the user is verified and the card is authenticated because this relation will hold true 

only if Equation (1) is satisfied. This means that B, a, U, and the PIN, P satisfy the condition established at the time the 
customer selects a PIN and the smart card 12 is personalized. In all other case, T will not equal T, the user is not ver- 
ified, and the verifying terminal 50 is programmed to deny access in all such cases. 

Each of Figs. 2-5 illustrate an interface 55 which is in communication with the verifying terminal 50. Upon comple- 

so tion of the verifying and authentication procedures described above, the terminal 50 sends an "access denied" or 
"access granted" signal to the interface 55, depending upon whether T is computed to be equal to T. The interface 55 
then transmits an appropriate signal 60 to allow access (or not) to the building, money stored in the ATM, the network, 
etc., depending upon the nature of the facility which is the subject of the security procedures. 

The above -described preferred embodiment of the invention offers a number of features which persons in the elec- 

55 tronic security field will find useful and valuable. For example: 

The card must do two RSA exponentiations per transaction to authenticate a user, as shown above. However, the 
card does not need complete RSA capability, in fact, one exponentiation, namely T g x € (mod n) , could be pre- 
compiled and stored in the smart card for use in each transaction. 
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The card issuer puts a secret into the card. However, this is not a secret key and the secret is not common to any 
other card. 

The card can do DES operations. One DES cycle is required in each transaction. 

The network controls user verification through a single public key exponent, e, and modulus, n. The e and n values 
5 are available to all terminals in the network. The private (i.e.. secret) public key, d, corresponding to e and n is con- 

tained in a secure environment only at the card issuer site. The private public key, d, does play a role in the card 
personalization process, but is not present in the card or in the verification terminal, nor anywhere in the transaction 
processing network. . ' 

There is no secret DES key in the verification algorithm. This means that all terminals 50 can verify the card 1 2 and 
70 the personal identification number, PIN, entered by the user without maintaining the secret key that is common to 
the card issuer's cards. The verifying terminal, 50, does not contain any secret-keys or data that can be compro- 
mised and lead to the massive creation of counterfeit smart cards, 12. 

There is no PIN verification value, PVV, common to many ID card security systems, to be stored either in the card 
or on a database. 

75 • The PIN is not stored in the clear in the card. 

There are no secret DES keys in-the card. There are no private public keys in either the card 12 or the terminal 50. 
The card 12 contains two secret quantities, a and B. However, neither can be created by an adversary attempting 
to manufacture a counterfeit card The secret quantities are unique to each card. Therefore, if one card is compro- 
mised, an adversary cannot create counterfeit cards. 

20 • The disclosed process is a zero knowledge interactive proving scheme that is unique to each transaction This 
attribute prevents the use of counterfeit cards that are programmed to mimic the protocol associated with : ;giti- 
mate transaction. 

No secret data is exchanged between the smart card 12 and the terminal 50. 

The most extensive processing steps take place during the personalization phase described above. The computa- 
25 tions done by the smart card 12 during the actual transaction are minimal and involve only one DES cycle and only 
two RSA exponentiations. The verifying terminal, 50, does one RSA exponentiation. 

Ah adversary cannot simply make a card which is physically identical to a valid card because the a and B values 
must be created as a function of the legitimate user's PIN, P, U and the private public key, d. Therefore, this function 
can only be created by the card issuer. 

30 

Authentication Process Without PIN Verification 

The technique presented above provides simultaneous user verification and smart card authentication However, 
certain security environments only require card authentication. Such environments can be easily accommodated with 
35 the present invention through a simple modification of the preferred embodiments described above. 

In all process steps described above which include reference to a PIN number, the value of the PIN, P, is simply set 
equal to 1 . Furthermore, the single DES cycle is eliminated because aB will now be stored in unencrypted form. These 
two modifications to the process described above eliminate the need for the user to enter a PIN number. 

40 Data Signature Algorithm 

A data signature is created using the mathematical structure shown in the card authentication algorithm. 

If the card wants to send data, D, to the terminal it must generate a random variable, x, as before and compute: 

45 T = (xh) 6 mod n. 

where h = H(D) is a hash on the data. The card sends U, D and T to the terminal. The terminal then generates a ran- 
dom challenge, y, and sends it to the card. 
The card then computes 

50 

S = x(aB) y mod n. 

The card then sends S to the terminal. Here S and T are the signature on the data. 
The terminal computes a candidate hash h' = H(D) on the data and then computes 

55 

T = S e U y (h') e mod n. 
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An analysis simitar to that discussed previously applies here so that if T = T* then h = h\ i.e., the hash computed by 
the card is equal to the hash computed by the terminal. Furthermore, a valid card provided the data since B was chosen 
as the multiplicative inverse of (U 2 P e+1 ) d during the personalization process. 

Several preferred embodiments of the present invention have been described, nevertheless it will be understood 
that various modifications may be made without departing from the spirit and scope of the invention For example, the 
security device need not be in the form of a smart card. Instead, the security device may be contained in any portable 
electronic form capable of carrying out the computations and storing the data described herein. In instances where 
electronic rather than physical access is required, the "prover" entity may be embodied in a software process within a 
stationary computer in communication with the verifier. Many other variations will be apparent to those of ordinary skill 
in the art based upon the foregoing description. Thus, the present invention is not limited to the preferred embodiments 
described herein, but may be altered in a variety of ways apparent to persons skilled in the art. 

The features disclosed in the description, the drawings, and the claims, considered alone or in any combination thereof, 
may be relevant for the implementation of the present invention in its different embodiments. 

Claims 

1 . A method for granting or denying access to a secure facility based upon the verification of a user and authentication 
of a smart card in an off-line computer environment including personalizing means for transmitting data to the smart 
card and verifying means for verifying the identity of the smart card user and authenticity of the smart card, com- 
prising the steps of: 

a. transmitting, by the personalizing means, a user ID. public key exponent, public key modulus and a secret 
derived from the card issuer's private public key to the smart card; 

b. storing the user ID, public key exponent, public key modulus and secret into a memory of the smart card; 

c. using a random number generator contained within the smart card to generate a random number; 

d. transmitting a value derived from the random number from the smart card to the verifying means, the verify- 
ing means including a verifying terminal having a smart card reading facility; 

e. generating a challenge value at the verifying terminal and transmitting the challenge value to the smart card; 

f. generating and transmitting, by the smart card, a signal to the verifying terminal based upon the public key 
modulus, the secret, the random number, and the challenge value; 

g. determining at the verifying terminal, in accordance with the signal, whether the smart card is authentic and 
the user is valid; and 

h. if the user and smart card are determined to be valid and authentic, granting access to the secure facility, 
and if either the smart card is not authentic or the user is not valid, than denying access to the secure facility. 

2. A system for granting or denying access to a secure facility, comprising: 

a. a smart card, including a microprocessor and a memory, wherein the memory contains secret information; 

b. a smart card reading and verifying terminal having a memory containing only non-secret information, said 
reading and verifying terminal being in the electronic communication with the smart card; and 

c. means, coupled to the reading and verifying terminal, for authenticating the smart card based upon elec- 
tronic communication between the smart card and the terminal, wherein said terminal memory contains only 
non-secret data during the verification process. 

3. The method of claim 1 , wherein the steps c-h are performed each time a user attempts to gain access to the secure 
facility using a smart card. 

4. The method of claim 1 or 3, wherein the steps a and b are performed once, at a time when the smart card is issued 
to the user. 

5. The method of claim 1 , 3 or 4 t further including the step of requesting the user to enter a PIN number. 

6. The method of claim 5, further including the steps of: 

encrypting, by the personalizing means, the secret using the user's correct PIN number when the card is 
issued to the user; and 

decrypting, by the smart card; the secret using the PIN number entered by the user. 

7. The method of claim 1 , 3 or 4, wherein the first transmitting step includes the steps of: 

performing, by a processor of the personalizing means, operations to obtain values a and B, where the val- 
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ues a and B are derived from the card issuer's private public key, a PIN number, and the user ID; and 

transmitting, by the processor of the personalizing means, the values a and B to the personalizing means. 

8. The method of claim 7, further including the steps of: 
5 encrypting, by the processor of the personalizing means, the values a and B before they are transmitted to 

the smart card; and 

decrypting the transmitted encrypted values of a and B before they are stored in the memory of the smart 

card. 



io 9. The method of claim 8, wherein the encrypting step includes the step of encrypting, by a processor of the person- 
alizing means, the values a and B using the DES algorithm. 

10. The method of claim 9, wherein the processor of the personalizing means is included within an A7000 Security 
module. 

75 

1 1 . The method of claims7 - 1 0, wherein 

the performing step includes the steps of: 

storing a prime number p and a prime number q in a memory of the personalizing means; and 

multiplying p by q to obtain the public key modulus, 
20 wherein the step of performing operations to obtain the value B is further performed in accordance with the 

public key modulus. 

1 2. The method of claim 1 , 3 or 4, further including the steps of: 

encrypting, by the personalizing means, the secret using a PIN number of "1 " when the smart card is issued 
25 to the user; and 

decrypting, by the smart card, the secret using a default PIN number of "1 " prior to step f. 

13. A method of providing and verifying a digital signature for data sent from a smart card in an off-line computer envi- 
ronment including personalizing means for transmitting data to the smart card and verifying means for verifying the 

30 digital signature from the smart card, comprising the steps of: 

a. transmitting, by the personalizing means, a user ID, public key exponent, public key modulus and a secret 
derived from the card issuer's private public key to the smart card; 

b. storing the user ID, public key exponent, public key modulus and secret into a memory of the smart card; 
35 c. using a random number generator contained within the smart card to generate a random number; 

d. transmitting the data, a value derived from the random number and the data, and the user ID from the smart 
card to the verifying means, the verifying means including a verifying terminal having a smart card reading 
facility, the derived value forming a first part of the digital signature; 

e. generating a challenge value at the verifying terminal and transmitting the challenge value to the smart card; 
40 f. generating and transmitting, by the smart card, a signal to the verifying terminal by the smart card based 

upon the public key modulus, the secret, the random number, and the challenge value, the signal forming a 
second part of the digital signature; 

g. determining at the verifying terminal, in accordance with the signal, whether the smart card has sent an 
authentic digital signature for the data. 

45 

14. A method for requesting access to a secure facility based upon the verification of a user and authentication of a 
smart card in an off-line computer environment including verifying means for verifying the identity of the smart card 
user and authenticity of the smart card, comprising the steps, performed by the smart card, of: 

storing in a memory of the smart card a user ID, a public key exponent, a public key modulus and a secret; 
so using a random number generator contained within the smart card to generate a random number; 

transmitting a value derived from the random number from the smart card to the verifying means; 
receiving, from the verifying means, a challenge value; and 

generating and transmitting, to the verifying terminal, a signal based upon the public' key modulus, the 
secret, the random number, and the challenge value, the signal indicative of whether the user is verified and the 
55 smart card is authentic. 

1 5. A method for granting or denying access to a secure facility based upon the verification of a user and authentication 
of a smart card in an off-line computer environment including verifying means for verifying the identity of the smart 
card user and authenticity of the smart card, the smart card storing in a memory a user ID, public key exponent, 
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public key modulus and a secret derived from the card issuer's private public key, the method comprising the steps 
performed by the verifying means of: 

receiving from the smart card a value derived from a random number generated by the smart card; 

generating a challenge value; 
5 transmitting the challenge value to the smart card; 

receiving from the smart card a signal based upon the public key modulus, the secret, the random number, 
and the challenge value; and 

determining in accordance with the signal, whether the smart card is authentic and the user is valid. 

to 16. A system for granting or denying access to a secure facility, comprising: 

a smart card, including a memory, wherein the memory contains a secret, which constitutes secret informa- 
tion, and a public key exponent and a user ID, and a public key modulus, which constitute non-secret information; 

a smart card reading and verifying terminal having a terminal memory containing only the non-secret infor- 
mation, said reading and verifying terminal being in the electronic communication with the smart card; and 
75 verifying means, coupled to the reading and verifying terminal, for authenticating the smart card based upon 

electronic communication between the smart card and the terminal, wherein said terminal memory contains only 
the non-secret information during the verification process and wherein the electronic communication does not 
transmit the secret information. 

20 17. The system of claim 16, wherein the verifying means includes: 

receiving means for receiving from the smart card the user ID and a value derived from a random number 
generated by the smart card; 

means for generating a challenge value; 
means for transmitting the challenge value to the smart card; 
25 means for receiving from the smart card, a signal based upon the public key modulus, the secret, the ran- 

dom number, and the challenge value; and 

means for determining, in accordance with the signal, whether the smart card is authentic and the user is 

valid. 

30 18. The system of claim 16 or 17, wherein the personalizing means includes: 

means for performing operations to obtain values a and B, where the values a and B are derived from the 
card issuer's private public key, a PIN number, and the user ID; and 
mean's for transmitting the values a and a to the smart card. 

35 19. The system of claim 16. 17 or 18, further including means for allowing the user to enter a PIN number. 

20. The system of claim 19, further including means for encrypting, in the personalizing means, the secret using the 
user's correct PIN when the card is issued to the user; and 

means for decrypting, in the smart card, the secret using the PIN entered by the user. 

40 
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